Vulnerability
Sambar
Affected
Sambar server 4.4 Beta 3
Description
Guido Bakker found following. The Sambar Server comes with a
non-caching HTTP proxy server and basic SMTP, POP3, and IMAP4
proxy servers compiled in. Sambar was created to test a
three-tier communication infrastructure modeled after the Sybase
Open Client/Open Server. Originally developed on a Sun
Workstation (UNIX), it was ported to the PC (Windows 32) and
licensed for commercial purposes.
The vulnerability occurs in the search.dll Sambar ISAPI Search
shipped with this product. This dynamic link loader does not
check on the 'query' parameter that is parsed to the server,
therefore by constructing a malformed URL we are able to view the
contents of the server, all folders, and files. Thanks also to
USSR Labs for further testing.
All that is needed is a malformed query parameter parsed to the
search.dll file.
http://server-running-sambar.com/search.dll?search?query=%00&logic=AND
.. this will reveal the current working directory contents.
http://server-running-sambar.com/search.dll?search?query=/&logic=AND
.. this will reveal the root dir of the server.
Solution
The vendor of Sambar Technologies has been contacted, so wait
until a patched version comes out.